As employers, pharmacy business owners process their employees’ data daily, and must consider whether their contracts of employment and policies should be amended to reflect the new GDPR requirements.

Previously, employers asked employees to consent to their data being processed for employment-related purposes and included wording to that effect in employment contracts. The GDPR stipulates that additional requirements must be satisfied to obtain valid consent for the processing of ordinary and sensitive personal data. In practice, business owners will be unable to rely on employee consent to justify day-to-day processing of employee data; consent provisions in existing contracts of employment will likely be invalid and contractual wording should be updated.

Pharmacy businesses process highly sensitive personal data in relation to their patients, so owners must ensure that their systems are robust and compliant and that employees understand their data handling obligations. Owners should create appropriate and detailed policies to offer employees guidance on handling third party data, alert staff to such policies, and ensure employees are aware that any breach could result in disciplinary action.

Under the GDPR, employees/former employees remain able to make data subject access requests (“DSARs”) to a business for data held in relation to them. However, employers will no longer be able to charge a nominal fee for responding to a DSAR and the timeframe for response will be reduced from 40 calendar days to one month.

It would be unwise to ignore the recent changes, as penalties are high.

  • The above is a general overview and we recommend that you seek independent legal advice for your specific concerns.

Recommended

What are Minimum Energy Efficiency Standards?

New Minimum Energy Efficiency Standards (MEES) are key factors in the buying and selling of pharmacy premises and for le...

Buying for business: What rights do you have?

What happens if you buy something for the pharmacy that you aren’t happy with or is damaged? This is what the law ...